Redirects->Trojans->0Access->No Internet

[thisisu]

Quote:

Originally Posted by rockyjo

Could you give me a bit of info of what you're finding so I can be a little more educated?

The main problem that was preventing you from accessing the internet was that the IPSec service was corrupt / damaged and ipsec.sys was missing at c:\windows\system32\drivers

I also cleaned up the mess up this variant of ZeroAccess causes to NetSvcs.

By the way, can you attach this file which has been quarantined for further analysis?

• C:\_OTL\MovedFiles\04142012_221219\C_WINDOWS\svcs.exe

Zip it up and then attach it to your next post.

Thanks

[rockyjo]

Hi thisisus,

1) Rec'd the same "symantec"-related error message at the outset of running getlogs.bat again; I "ignored" again.

2) On the laptop, which relates to the original problem on the vintage sick puppy, I asked about running Combofix on it at the beginning because mbytes, sas, kaspersky, tdsskiller and for that matter avg coasted right over the zeroaccess several times, either without identifying it at all or giving indication that it was fixed/repaired/removed, when it wasn't; Cfix was the only one to identify it (until we tried panda), and then it aborted. "Read me first" steps were what I did first with the sick puppy b4 posting, and that didn't do the job; could have had many believe it was gone, actually. Maybe I should use the panda routine first?

More after uploads...

[rockyjo]

PS. On symantec, the pc had a corporate version ("corporate" was the name); it wasn't listed in the tool you gave me a link for but I hoped it would take care of it anyway; apparently not.

3) I guess I don't know how to zip up a file, I never have occasion to do it; please advise.

4) So are you thinking zeroaccess is gone now? I saw that panda found some malware drivers...

RJ

[thisisu]

I am attaching the corporate symantec removal tool.

Reviewing your logs now.

[thisisu]

Quote:

Originally Posted by rockyjo

3) I guess I don't know how to zip up a file, I never have occasion to do it; please advise.

Watch this video / tutorial:

http://www.youtube.com/watch?v=CRut2J1W8qM

[thisisu]

Quote:

Originally Posted by rockyjo

So are you thinking zeroaccess is gone now?

Yes it's gone now. Your latest logs look clean but you should delete this empty folder:

C:\WINDOWS\$NtUninstallKB21289$

Also, you only had the ZeroAccess infection. You don't have to worry about the other PC you were using to upload logs being infected because of this one.

__

If the Symantec NoNAV removal tool does not fix that error you are getting, try what is suggested in this article: http://www.symantec.com/business/sup...&id=TECH100470

[rockyjo]

thisisu,

Running the removal tool now; said it would need to restart but isn't doing that. I believe I will wait longer and then do a manual reboot.

Perhaps you'll see this at your next response: 1) should I start cleaning out user-installed files to increase disk space and RAM now, or wait 'til we're done? 2) on that note, could you send links to best ways to do that? I have looked on this site and those instructions are probably there, but I haven't found them. ('Don't want to just web search, prefer to use a trusted site.) For example, there is nothing in the startup box on my pcs; nevertheless, task mgr always shows (many) questionable files (for most pc users); and control-panel-admin tools-services has a whole host of routines that seem like they could be set to "manual" instead of automatic--but how to know which, or if they're even RAM hogs separately or in total? And, I don't need 47 extra languages of anything, nor sample files of anything, etc.--is there a link(s) you guys know about that explains what you can remove, without having to do a search on every unknown file name and then guess if it's essential? Anything to make the process more efficient. Also, could you advise how to rank user-created files on the whole drive by size? I know I can do it within folders, but if I could rank them for the whole c: drive at once it might be more efficient.

Symantec tool did not reboot so I will.

More later,
Thanks much.
RJ

[rockyjo]

C:\WINDOWS\$NtUninstallKB21289$
In this, I show folder: 3530260802, within that, folders: L which has file eiintoqb with no extension, 159 kb; and folder U which is empty.

Just reconfirming, I should delete this whole thing?

[thisisu]

Quote:

Originally Posted by rockyjo

C:\WINDOWS\$NtUninstallKB21289$
In this, I show folder: 3530260802, within that, folders: L which has file eiintoqb with no extension, 159 kb; and folder U which is empty.

Just reconfirming, I should delete this whole thing?

Yes, try to. The Panda tool should have emptied it but apparently not.

[rockyjo]

thisisu,

Yes, that file deleted fine, and the corporate tool worked as I ran mgtools .bat again and did not receive the symantec message. Thank you!

Working on the zip upload next.

RJ

[rockyjo]

Here comes...

[thisisu]

Got it thanks. Removing your attachment now.

How is the computer running now? Are you ready for final steps?

[rockyjo]

Hi thisisu,

Could I give it a whirl for a day and get back with you tomorrow a.m.? (I think the malware is gone but I hesitate to conclude that without using a little more at least.)

In the meantime, any advice from one of my last posts on efficient clean out?

Another example: Under Prog Files, can I safely remove folders: Movie Maker, MSN Gaming Zone, Outlook Express? Never use and never intend to use any of those (I use Outlook, do I need express too?) Also, MSXML 6.0, Netmeeting, and Online Services look questionable.

PC needs update (after we're done) to sp3, add back java, adobe reader, do other updates, add back av, but concerned that even updating to sp3 will overwhelm the pc...

And it needs a "light on resources" preferably freeware av--ideas?

Any help would be appreciated, immensely .

RJ

[thisisu]

Quote:

Originally Posted by rockyjo

Hi thisisu,

Could I give it a whirl for a day and get back with you tomorrow a.m.? (I think the malware is gone but I hesitate to conclude that without using a little more at least.)

Not a problem.

Quote:

Originally Posted by rockyjo

Under Prog Files, can I safely remove folders

No. This is not the way to go about this. After a second glance of your logs:

Code:

Drive	C:	
Description	Local Fixed Disk	
Size	12.64 GB (13,571,678,208 bytes)	
Free Space	2.02 GB (2,169,413,632 bytes)

Disregard my previous messages about freeing up space since the hard drive itself does not have much space.

This PC is pretty old, 10 years+? It's still fine for just surfing the net and checking emails but I wouldn't recommend doing much else with it.

Quote:

Originally Posted by rockyjo

And it needs a "light on resources" preferably freeware av--ideas?

Microsoft Security Essentials

Code:

Total Physical Memory	384.00 MB

I don't recommend running an antivirus if you're running this amount of memory (it's a low amount for today's standards).

It's better than nothing sure, but I do not think the potential slow down is worth it.

Quote:

In the meantime, any advice from one of my last posts on efficient clean out?

What problems is your other computer having?

[rockyjo]

Hello thisisu,

Sorry for the long departure, the week sped.

1) On the pc we've been working on, I would like to run either Cfix or Panda once more just to make sure it doesn't pick up anything, since those were the only two that did before, but I haven't done it yet until I hear from you.

I have only rec'd 1 error message on that computer in a week and no redirects (I only use it for specific, narrow, routine tasks), so I believe the 0access is gone! Thank you hundreds! I will post the error message when I'm there.

Per previous comment, there are files that can be removed from the hard drive to free up substantial space. 'Can't do anything about mem size at this point. I would like to protect it if possible; does av require "a lot" of memory?

On related subject of memory, though not having to do with av, when one is using the net, is there a way to clear working memory real time, rather than exit the internet and return?

2) On the other hand, I do believe the laptop caught something while we were working on the other pc, since it started the time of cleaning the other pc and porting files back and forth; I feel like that's when the bug arrived. Laptop is also xp pro, however sp3, ie, avg. Not sure what it is: no redirects, extremely slow getting onto the net and using the net; several times it just gave the "no connect" screen; checked task mgr once for System, cpu 0, memory 111,488, and System Idle, cpu 99, memory 16. Receive avg messages that ie is taking too much memory. Unfortunately, also rec'd a BSOD, that Win attributed to WLANUHN.sys, page-fault-in-nonpaged-area. I wrote down the other x00... codes when this happened as well; let me know if you want them. As advised by Win, rebooted and Win came up normally.

Win also attributed it to newly installed hardware, or Win updates that hadn't been done, or virus. There is no newly installed hardware, or software other than avg updates. I checked Win for updates and there are no high priority updates that the pc needs; there were some optional hardware and software--was going to do those but thought I should wait for instruction(s) on what to do first. So perhaps virus/trojan. Read me first reports? Get back in line with this pc? Please advise.

Thank you.
RJ

[thisisu]

Quote:

Originally Posted by rockyjo

Hello thisisu,

Sorry for the long departure, the week sped.

Hi. No problem.

Quote:

Originally Posted by rockyjo

1) On the pc we've been working on, I would like to run either Cfix or Panda once more just to make sure it doesn't pick up anything, since those were the only two that did before, but I haven't done it yet until I hear from you.

You can run either or if you'd like. For ComboFix, do not use a CFScript.txt. Just run it normally.

Quote:

Originally Posted by rockyjo

I have only rec'd 1 error message on that computer in a week and no redirects (I only use it for specific, narrow, routine tasks), so I believe the 0access is gone! Thank you hundreds! I will post the error message when I'm there.

K, let me know the error message. You're welcome again

Quote:

Originally Posted by rockyjo

Per previous comment, there are files that can be removed from the hard drive to free up substantial space. 'Can't do anything about mem size at this point. I would like to protect it if possible; does av require "a lot" of memory?

It depends on the Antivirus chosen to install. I think MSE is one of the "lightest" ones but I don't know the actual requirements. I would just install it and see if the PC becomes unbearable with 384MB.

Quote:

Originally Posted by rockyjo

On related subject of memory, though not having to do with av, when one is using the net, is there a way to clear working memory real time, rather than exit the internet and return?

Exit out of processes and stop services that you aren't using that are running in the background. It requires some knowledge to know what processes are for what programs, which services control what programs, etc. These types of "tweaks" unfortunately are not the scope of this forum. I wish we had a "Tweaking" section, I know I'd be using it Your best bet in the meantime would be to ask for advice in the Software forum.

Quote:

Originally Posted by rockyjo

also rec'd a BSOD, that Win attributed to WLANUHN.sys, page-fault-in-nonpaged-area. I wrote down the other x00... codes when this happened as well; let me know if you want them. As advised by Win, rebooted and Win came up normally.

WLANUHN.sys is related to Wireless-N-USB-Adapter. I don't need the tech code since it provided the driver file associated to the BSOD.

Quote:

Originally Posted by rockyjo

Win also attributed it to newly installed hardware, or Win updates that hadn't been done, or virus. There is no newly installed hardware, or software other than avg updates. I checked Win for updates and there are no high priority updates that the pc needs; there were some optional hardware and software--was going to do those but thought I should wait for instruction(s) on what to do first. So perhaps virus/trojan. Read me first reports? Get back in line with this pc? Please advise.

Thank you.
RJ

You can run through the Read and Run Me first on the other PC if you'd like. However, if you still have trouble afterwards, create a new thread (don't post information from the second PC in this thread) describing the problems you are experiencing.

[rockyjo]

Hi thisisu,

Here's the error message from the pc we've been working on, on exiting creative media player:
CTCMSU.exe Application error
The instruction at "0x0748350e" referenced memory at "0x06832268". The memory could not be "read." Click OK to terminate the program.

I will get back with you after running CFix, but could put this up now so am.

Rockyjo

[thisisu]

Ok, is this error message just recently start appearing or has it been there for a while?
I will wait for your ComboFix log

[rockyjo]

Hello thisisu,

1) I don't know the answer to your question. I haven't used the sound in awhile as it hasn't been working so don't know if I had tried to, if/when I would have rec'd an error message. Since it looked like we were successfully finishing, thought I'd get in line on that subject in the Software section as thought it would take a while to get to the top of the list. I rec'd feedback right away and had been working on that during the time I wanted to test out my pc to get an opinion if it was fixed from what we've been working on. So I don't know if the error message would have popped up before we started or not.

2) Am running CFix and unfortunately it stopped; appears to have stalled before it began, similar to b4. Process: I clicked on the CFix icon on my desktop, it updated to newer version, started, and I have "Scanning for infected files... This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double" and I could hear the cpu chewing for awhile and now nothing. It did not go through any layers. Same as when we first started or somewhere in the middle. Bummer. PC is frozen. So looks like a cold boot is required.

Please advise.

Rockyjo

PS. Thanks for your patience; I am back on this multi-times daily again until it is finished.

[thisisu]

I do not think you have anything to worry about as your logs are clean but you can reboot into Safe Mode and retry ComboFix from there if you'd like. It does not work on all systems though so you may want to try the Panda tool again since you had success with that before.